Everything You Need To Know About the New Microsoft Exchange Service
In recent months, we’ve seen a spate of high-profile attacks on corporate data centers across the globe. These attacks leverage critical vulnerabilities on on-premises versions of Microsoft Exchange servers. So far, at least 30,000 organizations using Microsoft Exchange servers have been affected. Over the past six months, Microsoft has issued several security updates to mitigate Exchange Server vulnerabilities.
The Emergency Mitigation (EM) service for Exchange Server is the latest addition to Microsoft’s Exchange Server cyberthreat arsenal. The new feature is intended to help businesses quickly protect their on-premises exchange servers. The service will automatically apply provisional mitigations against zero-day exploits to allow IT admins more time to apply updates.
EM builds on an existing tool known as the Exchange On-premises Mitigation Tool (EOMT), which Microsoft introduced in early March to combat Exchange Server threats. Read on to learn more about Microsoft Exchange Server threats and how the new Emergency Mitigation (EM) service can keep your business secure.
Let’s start with a timeline of events that led to the release of the Emergency Mitigation (EM) service for Exchange Server in the September 2021 Cumulative Update (CU).
Exchange Server Threats Detected
Exacerbated by the ongoing Covid-19 pandemic, sophisticated, large-scale cyberattacks have become commonplace in the last couple of years. In the first half of 2021 alone, we saw some serious attacks perpetrated by state-sponsored espionage groups such as Hafnium, the group behind the Exchange Server attacks. Hafnium is a state-sponsored hacking group operating out of China.
According to reports, the Microsoft Exchange Server attacks were discovered in January 2021. However, Microsoft did not disclose vulnerabilities in its Exchange Server mail and calendar software until March 2, 2021. According to the company, these vulnerabilities allowed Chinese hackers to gain access to businesses’ email accounts.
Microsoft Issues Patches
Following the announcement about the attacks, Microsoft issued emergency security updates to patch vulnerabilities in its Exchange Server mail and calendar software for corporate and government data centers. These critical flaws, known collectively as ProxyLogon, affect on-premises exchange server versions 2010, 2013, 2016, and 2019.
Microsoft went ahead to release patches for all Exchange versions, including the 2010 edition, which is no longer supported. These updates mitigate security holes in versions of Microsoft Exchange Server software going back to 2010. Microsoft recommends that organizations update on-premises Exchange Servers as quickly as possible to prevent intrusion.
The Exchange On-premises Mitigation Tool (EOMT)
Microsoft quickly realized that many businesses were having a tough time managing and patching their on-premises Exchange Servers amidst looming zero-day threats. The company started issuing a series of PowerShell scripts to help organizations mitigate Exchange Server vulnerabilities until their servers are fully patched, culminating in the release of the Exchange On-premises Mitigation Tool (EOMT) on March 15.
EOMT is simply a PowerShell script that automates certain parts of both the detection and patching process. This tool consolidates the necessary tasks to ensure that the correct mitigating actions are implemented with minimal room for error. By bringing all the mitigation tasks and functions together, EOMT made it easier for SMBs to protect their Exchange Servers from ProxyLogon vulnerabilities.
Microsoft Exchange Emergency Mitigation (EM) Service
Despite patches being available for well over six months now, many Microsoft Exchange servers are still vulnerable to ProxyLogon bugs. Microsoft realized that more needed to be done and introduced a new Exchange Server feature to make it easier for businesses and organizations to patch critical Exchange Server vulnerabilities.
The Emergency Mitigation (EM) service for Exchange Server builds on the EOMT approach to better provide mitigation and address any potential threats effectively. According to Microsoft, Emergency Mitigation (EM) is the quickest and easiest way to mitigate threats to internet-facing, on-premises Exchange servers before applying the recommended security updates.
What Is Microsoft Exchange Emergency Mitigation (EM) Service?
The Emergency Mitigation (EM) service for Exchange Server is a built-in version of EOMT. With EOMT, mitigation has to be applied manually. The new tool automatically applies interim mitigation to Exchange servers, protecting organizations against high-risk security flaws. This temporary solution gives IT admins more time to apply updates.
While businesses of all sizes can benefit from implementing the new emergency mitigation tool, smaller entities that don’t have dedicated IT security teams stand to gain more from this feature. EM is an optional service. Organizations that don’t want to use the service can have their IT admins turn it off and keep using EOMT to apply threat mitigation manually.
How Does Emergency Mitigation (EM) Work?
EM runs as a Windows service on an Exchange Mailbox server. The new Exchange Server feature utilizes the cloud-based Office Config Service (OCS) — the same service used by Microsoft Office — to deliver protection against cybersecurity vulnerabilities that have known mitigation. EM detects Exchange servers susceptible to known threats and applies provisional mitigations.
The new tool checks the OCS for available mitigation on an hourly basis. If mitigation is available, the EM service will download a signed XML file containing pre-configured mitigation settings. Since mitigation can be released at any time, an hourly EM service check for mitigation ensures that the system is always secure and up to date.
Keep in mind that Emergency Mitigation (EM) is not a permanent solution; it’s only a temporary solution until security updates can be applied. Therefore, Exchange Server Security Updates (SUs) are necessary. According to Microsoft, organizations with self-hosted Exchange Servers should prioritize security updates rather than relying on emergency mitigation.
Several nation-state attackers are still targeting businesses that have not addressed the aforementioned Microsoft Exchange server flaws. Considering that most cyberattacks over the years have been a result of outdated software, it’s imperative that organizations patch their on-premises Exchange Servers as quickly as possible, even if they have EM service implemented.
Hackers are getting smarter, and their tactics are becoming more resilient to conventional cyber defenses. Businesses can no longer solely rely on standard cybersecurity tools such as antivirus and firewalls. The best approach is to partner with a reliable IT support provider such as initial.IT for customized IT support solutions.
Get in touch with us for Microsoft networking, Microsoft security, and Microsoft support services in Denver, Colorado, and the larger Rocky Mountain region.